I'm trying to use mod_expires and mod_headers to enable browser caching for my site. I have this in my VirtualHost:
<FilesMatch ".(gif|jpg|jpeg|png|ico|swf|js|css|pdf)$">
ExpiresActive On
ExpiresDefault "access plus 1 week"
Header set Cache-Control "public"
Header unset Last-Modified
</FilesMatch>
The Expires and Cache-Control headers are set correctly in my responses:
HTTP/1.1 200 OK
Date: Tue, 28 Jun 2016 16:09:26 GMT
Server: Apache/2.4.7 (Ubuntu)
ETag: "8f44-526a1625962b5-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: public
Expires: Tue, 05 Jul 2016 16:09:26 GMT
Content-Length: 8504
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/javascript
Unfortunately, my browser (Chrome) is still requesting all these static files every time I load my page. I see these requests in my access.log and browser console. What am I doing wrong?
EDIT:
I do have caching enabled in the developer toolbar:
Check if client-side caching is disabled. Google Chrome may disable client-side caching when the DevTools window is open (F12).
I'm trying to setup HTTP Caching for my website. Following is my configuration settings
# 1 YEAR
<FilesMatch "\.(ico|svg|woff|eot|ttf)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
# 1 WEEK
<FilesMatch "\.(jpg|png|gif|css|js)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
Does it make a difference if I place this in my <VirtualHost> settings or outside it? I've placed it inside the <VirtualHost>.
I tried checking the HTTP response for one of the png image using redbot.org and this is what it returned.
HTTP/1.1 200 OK
Date: Fri, 12 Sep 2014 09:28:33 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Tue, 26 Aug 2014 05:43:32 GMT
ETag: 1409031812.69
Content-Length: 23907
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
Why is there no Cache-Control max-age header tag?
I also checked using the Google PageSpeed Insights and it still says expiration not specified for all the files.
Did I miss something?
The .htaccess file was not being taken into account due to some missing configuration settings in my apache2.conf file. Making the required changes in the conf file solved the issue.
This is in the context of Cross-origin resource sharing. For the preflight request, the server is not sending the headers set.
When a valid cookie is not passed with the "Options request", the server in it's response is not sending the headers I set, however, it's sending "200 OK". I checked this with curl as can be seen below (obviously, I replaced my valid cookie with a dummy "xyzabcde" here)
The curl request WITHOUT cookie:
curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" -X OPTIONS --verbose app1_url/jsonrpc.cgi
(sends below response...)
HTTP/1.1 200 OK
Date: Tue, 01 Oct 2013 11:37:36 GMT
Server: Apache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4531
Content-Type: text/html; charset=utf-8
with "-H Cookie:xyzabcde":
curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" "-H Cookie:xyzabcde" -X OPTIONS --verbose app1_url/jsonrpc.cgi
(sends below response...)
HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2013 18:48:34 GMT
Server: Apache
X-frame-options: ALLOW-FROM app2_url
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS
Access-Control-Allow-Origin: app2_url
Access-Control-Max-Age: 1800
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
The apache config looks something like...
<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header always set Access-Control-Allow-Methods "GET, POST, HEAD, PUT, OPTIONS"
Header always set Access-Control-Allow-Origin "app2_url"
Header always set Access-Control-Max-Age "1800"
.
.
.
<Directory /app1/dir/>
Options Includes FollowSymLinks ExecCGI MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Net
PubcookieInactiveExpire -1
PubcookieAppID app1.company.com
require valid-user
</Directory>
.
.
</VirtualHost>
How can I make all the headers be sent in response to unauthenticated requests?
I guess, Options requests ideally are supposed to not require any authentication.
We solved this with different configuration. Below is the snippet from myApplication.conf file at /usr/local/apache/conf/extra
<Location "/myService">
SetEnvIf Request_URI "/healthCheck" REDIRECT_noauth=1
SetEnvIf Request_Method "OPTIONS" REDIRECT_noauth=1
AuthType Basic
AuthName "myService"
AuthUserFile /usr/local/apache/conf/passwd/passwords
AuthGroupFile /usr/local/apache/conf/passwd/groups
Require group GroupName
Order allow,deny
Allow from env=REDIRECT_noauth
Satisfy any
</Location>
So, we can bypass the authentication:
Based on particular URI, in above example /healthCheck is bypassed
Based on HTTP method, in above example OPTIONS is bypassed and auth will be prompted for other HTTP methods
Hope it helps someone to resolve the issues.
"LimitExcept" directive solved it. In fact, prior to posting the question I tried the directive, however the mistake earlier was including the first two lines ("Options Includes..." and "Alowoverride...") within the "LimitExcept" block.
<Directory /app1/dir/>
Options Includes FollowSymLinks ExecCGI MultiViews
AllowOverride None
<LimitExcept OPTIONS>
Order allow,deny
allow from all
AuthType Net
PubcookieInactiveExpire -1
PubcookieAppID app1.company.com
require valid-user
</LimitExcept> #<- syntax error fixed.
</Directory>
I'm trying to download a static file from another domain. In my .htaccess file, which is in the root directory:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "Accept, If-Modified-Since, Origin"
Header set Access-Control-Allow-Methods "GET, OPTIONS"
And here's the request-response cycle where a browser downloads the resource twice:
GET /file HTTP/1.1
Host: www.example.com
Accept: application/json
Origin: http://www.mydomain.com
HTTP/1.1 200 OK
Date: Sat, 07 Sep 2013 21:01:35 GMT
Server: Apache
Last-Modified: Sat, 07 Sep 2013 20:14:45 GMT
Content-Length: 2
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Accept, If-Modified-Since, Origin
Access-Control-Allow-Methods: GET, OPTIONS
Content-Type: application/json
[]
GET /file HTTP/1.1
Host: www.example.com
Cache-Control: max-age=0
Accept: application/json
Origin: http://www.mydomain.com
If-Modified-Since: Sat, 07 Sep 2013 20:14:45 GMT
HTTP/1.1 304 Not Modified
Date: Sat, 07 Sep 2013 21:01:40 GMT
Server: Apache
The second time you can see that since the file hasn't been modified, the server responds with a 304 Not Modified. Why are the CORS headers not being set for the second response?
It's an apache bug, see below
https://issues.apache.org/bugzilla/show_bug.cgi?id=51223
You can recompile Apache with the patch if you're feeling brave....
i'm trying to setup mod_disk_cache for a url pattern. Server runs Apache/2.2.22
Wanted:
All requests to 'domain.com/location/anyHtmlFile' should be served from cache.
Config:
CacheEnable disk /
CacheIgnoreCacheControl On
SetEnv no-cache
I want this to work:
"if url starts with "/location" do 'UnsetEnv no-cache'
In the apache vhost I tried
<LocationMatch "^/location/.+\.html$">
<LocationMatch "/location/">
and desperately
<LocationMatch "location">
UnsetEnv no-cache
</LocationMatch>
<Location /location/>
UnsetEnv no-cache
</Location>
didn't work, too.
An html file in /location/ has following caching-relevant header attributes (Firefox):
Cache-Control: max-age=14400, public
Date Wed, 05 Jun 2013 11:17:00 GMT
Expires Wed, 05 Jun 2013 15:17:00 GMT
I have just recognized that the requestheader for the same file in chrome says
Cache-Control:public
Cache-Control:no-cache, must-revalidate
I'm setting Cache-Control to 'public' explicitely in the expires.conf.
I commented the global
#SetEnv no-cache
out in my vhost config, but there are still both Cache-Controls in the header. But this shouldn't be the problem as I have 'CacheIgnoreCacheControl On', should it?
Any help?